Revisions to the Fee Schedule for the Data Privacy Framework Program

AGENCY:

International Trade Administration, U.S. Department of Commerce.

ACTION:

Notice of revisions; request for public comments.

SUMMARY:

Consistent with the guidelines in OMB Circular A-25, the U.S. Department of Commerce's International Trade Administration (ITA) is revising the fee schedule that was last updated on April 12, 2017. This notice revises the Privacy Shield program fee schedule to reflect the change in the name of the program from the “Privacy Shield” program to the “Data Privacy Framework” program and to amend the fees. This is to support the operation of the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF (collectively, the DPF program).

DATES:

The revisions to the fee schedule will become effective 30 days after the final fee schedule is published. Comments must be received by August 7th, 2024.

ADDRESSES:

You may submit comments by either of the following methods:

• Federal eRulemaking Portal at www.Regulations.gov. The identification number is ITA-2024-0001.
• Postal Mail/Commercial Delivery to Isabella Carlton, Department of Commerce, International Trade Administration, Room 11018, 1401 Constitution Avenue NW, Washington, DC, and reference “Revisions to the Fee Schedule for the Data Privacy Framework Program” in the subject line.

Instructions: You must submit comments by one of the above methods to ensure that the comments are received and considered. Comments sent by any other method, to any other address or individual, or received after the end of the comment period, may not be considered. All comments received are a part of the public record and will generally be posted to http://www.regulations.gov without change. All Personal Identifying Information ( e.g., name, address, etc.) voluntarily submitted by the commenter may be publicly accessible. Do not submit Confidential Business Information or otherwise sensitive or protected information. ITA will accept anonymous comments (enter “N/A” in the required fields if you wish to remain anonymous). Attachments to electronic comments will be accepted in Microsoft Word, Excel, or Adobe PDF file formats only. Supporting documents and any comments we receive on this docket may be viewed at http://www.regulations.gov/ ( http://www.regulations.gov/ ) ITA-2024-0001.

More information regarding the DPF program can be found at https://www.dataprivacyframework.gov/Program-Overview.

FOR FURTHER INFORMATION CONTACT:

Requests for additional information regarding the DPF program should be directed to Isabella Carlton, Department of Commerce, International Trade Administration, Room 11018, 1401 Constitution Avenue NW, Washington, DC, tel. (202) 482-1512 or via email at dpf.program@trade.gov. Additional information on ITA fees is available at trade.gov/fees.

SUPPLEMENTARY INFORMATION:

Background

On July 17, 2023, the U.S. Department of Commerce (DOC) launched the Data Privacy Framework (DPF) program. The EU-U.S. Data Privacy Framework (EU-U.S. DPF), UK Extension to the EU-U.S. DPF, and Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) were respectively developed by the DOC and the European Commission, UK Government, and Swiss Federal Administration to provide U.S. organizations with reliable mechanisms for personal data transfers to the United States from the EU, UK, and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law. The EU-U.S. DPF amends the privacy principles that organizations adhered to under the EU-U.S. Privacy Shield Framework as the “EU-U.S. Data Privacy Framework Principles” (EU-U.S. DPF Principles), and the Swiss-U.S. DPF amends the privacy principles that organizations adhered to under the Swiss-U.S. Privacy Shield Framework as the “Swiss-U.S. Data Privacy Framework Principles” (Swiss-U.S. DPF Principles). For more detailed information on the DPF program, please see https://www.dataprivacyframework.gov/Program-Overview.

Consistent with the guidelines in OMB Circular A-25, Federal agencies are responsible for implementing cost recovery program fees. The role of ITA is to strengthen the competitiveness of U.S. industry, promote trade and investment, and ensure fair trade through the rigorous enforcement of U.S. trade laws and agreements. ITA works to promote privacy policy frameworks to facilitate the trusted flow of data across borders with strong privacy protections, which in turn supports international trade.

The U.S., EU, UK, and Switzerland share a commitment to enhancing privacy protection, the rule of law, and a recognition of the importance of transatlantic data flows to our respective citizens, economies, and societies, but have different legal systems and take different approaches to doing so. Given those differences, the DOC developed the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF in consultation with the European Commission, the UK Government, the Swiss Federal Administration, industry, and other stakeholders. These arrangements were respectively developed to provide U.S. organizations reliable mechanisms for personal data transfers to the U.S. from the EU, UK, and Switzerland that are consistent with EU, UK, and Swiss law.

The DOC has issued the EU-U.S. DPF Principles and the Swiss-U.S. DPF Principles, including the respective sets of Supplemental Principles (collectively, the Principles) and Annex I to the Principles, as well as the UK Extension to the EU-U.S. DPF under its statutory authority to foster, promote, and develop international commerce (15 U.S.C. 1512).

To participate in the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF an organization must: (1) be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), the Department of Transportation (DOT), or another statutory body that will effectively ensure compliance with the Principles; (2) publicly declare its commitment to comply with the Principles; (3) publicly disclose its privacy policies in line with the Principles; and (4) fully implement the Principles.

While the decision by an organization to self-certify its compliance and to participate in the DPF is voluntary; effective compliance is compulsory: organizations that self-certify to the DOC and publicly declare their commitment to adhere to the Principles must comply fully with the Principles. Organizations that only wish to self-certify their compliance pursuant to the EU-U.S. DPF and/or the Swiss-U.S. DPF may do so; however, organizations that wish to participate in the UK Extension to the EU-U.S. DPF must participate in the EU-U.S. DPF. Such organizations' commitment to comply with the Principles with regard to transfers of personal data from the EU and, as applicable, the UK, and/or Switzerland must be reflected in their self-certification submissions to the DOC, and in their privacy policies. An organization's failure to comply with the Principles after its self-certification is enforceable: (1) by the FTC under Section 5 of the Federal Trade Commission (FTC) Act prohibiting unfair or deceptive acts in or affecting commerce (15 U.S.C. 45); (2) by the DOT under 49 U.S.C. 41712 prohibiting a carrier or ticket agent from engaging in an unfair or deceptive practice in air transportation or the sale of air transportation; or (3) under other laws or regulations prohibiting such acts.

U.S. organizations considering self-certifying their compliance pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF should review the requirements in their entirety, including the Principles and associated documents available in full at www.dataprivacyframework.gov.

Revisions to the Fee Schedule

ITA initially implemented a cost recovery program to support the operation of the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Frameworks (collectively, the Privacy Shield program) and is revising that fee schedule to support the operation of the DPF program. The cost recovery program will support the administration and supervision of the DPF program and support services related to the DPF program, including education and outreach. The revisions to the fee schedule will become effective 30 days after the final fee schedule is published.

The Cost Recovery Fee Schedule for the EU-U.S. Privacy Shield Framework, published September 30, 2016 (81 FR 67293), describes the fees implemented by ITA to cover the administration and supervision of the EU-U.S. Privacy Shield Framework. The first amendment to the Cost Recovery Fee Schedule for the EU-U.S. Privacy Shield Framework, published April 4, 2017 (82 FR 16375), describes the additional fees implemented by ITA to cover the administration and supervision of the Swiss-U.S. Privacy Shield Framework. Under this revision to the fee schedule, organizations that opt to self-certify only for the EU-U.S. DPF, only the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, or only the Swiss-U.S. DPF will pay a single fee when initially self-certifying or re-certifying. Organizations that opt to self-certify for an additional framework will pay an additional 50 percent of that single fee when self-certifying or re-certifying for the additional framework, reflecting the efficiency savings in administering the DPF program for organizations that participate in multiple parts of the DPF program. As organizations that wish to participate in the UK Extension to the EU-U.S. DPF must participate in the EU-U.S. DPF, the annual fee that such organizations are required to pay to ITA to participate in the EU-U.S. DPF currently covers both the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

These efficiency savings are maximized if organizations self-certify to multiple parts of the DPF program simultaneously, reducing the required staff time and resources for reviewing materials.

In addition, organizations that participate in the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF and/or the Swiss-U.S. DPF may adjust their annual re-certification due date by re-certifying early ( i.e., before the applicable due date) to the relevant part(s) of the DPF program.

Although an organization may adjust its annual re-certification due date by re-certifying early, the re-certification due date would apply to all parts of the DPF program in which it participates ( i.e., re-certification to the relevant part(s) of the DPF program is synchronized). For example, if an organization initially self-certified exclusively to and was placed on the Data Privacy Framework List with regard to the EU-U.S. DPF, and then several months later self-certified to and was placed on the Data Privacy Framework List with regard to the Swiss-U.S. DPF, the organization's next re-certification to both of those parts of the DPF program would be due by the same date.

Additionally, a fixed annual fee of $260 will be charged per applicable framework for organizations that withdraw from the relevant part(s) of the DPF program, retain personal data that they received in reliance on their participation in the relevant part(s) of the DPF program, continue to apply the Principles to such data, and affirm to ITA on an annual basis their commitment to apply the Principles to such data. This fee has been set to cover staff costs for reviewing the “Post-Withdrawal, Annual Affirmation Questionnaire”, which must be submitted by organizations that have chosen the aforementioned option when withdrawing from the relevant part(s) of the program, as well as the necessary website infrastructure to facilitate submission of the proper documents. Additionally, this fee is set to be less than any organization would be required to pay for re-certification. The fee schedule is set forth below:

For purposes of the annual fee schedule described above:

• “A single framework” could refer to any of the following: only the EU-U.S. DPF; only the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF; or only the Swiss-U.S. DPF.
• “Both frameworks” could refer to any of the following: the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF; or only the EU-U.S. DPF and the Swiss-U.S. DPF.

Organizations will have additional direct costs associated with participating in the DPF program. For example, organizations must provide a readily available independent recourse mechanism to hear individual complaints at no cost to the individual. Furthermore, organizations are required to make contributions in connection with the arbitral model, as described in Annex I to the Principles.

Method for Determining Fees

ITA collects, retains, and expends user fees pursuant to delegated authority under the Mutual Educational and Cultural Exchange Act as authorized in its annual appropriations acts. The EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF were developed to facilitate transatlantic commerce by providing U.S. organizations with reliable mechanisms for personal data transfers to the United States from the EU/European Economic Area, UK, and Switzerland. The Data Privacy Framework program operates in a way that provides strong privacy protection as well as a more effective and efficient service to participants at a lower cost than other options, including standard contractual clauses or binding corporate rules.

Fees are set by taking into account the operational costs borne by ITA to administer and supervise the Data Privacy Framework program. The DPF program requires a significant commitment of resources and staff. These costs include broad programmatic costs to run the program as well as costs specific to EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. The DPF program includes commitments from ITA to:

• Maintain, upgrade, and update a DPF program website, including maintaining the Data Privacy Framework List (i.e., the authoritative list of U.S. organizations that have self-certified to the DOC, as represented by ITA, and declared their commitment to adhere to the Principles;
• Verify self-certification requirements submitted by organizations to participate in the DPF program;
• Follow up with organizations that have been removed from the Data Privacy Framework List and ensure, where applicable, that questionnaires are correctly filed and processed;
• Search for and address false claims of participation;
• Conduct periodic compliance reviews and assessments of the program;
• Provide information regarding the program to targeted audiences;
• Increase cooperation with European data protection authorities;
• Facilitate resolution of complaints about non-compliance;
• Hold periodic meetings with the European Commission, the UK government, the Swiss government, and other authorities to review the program; and
• Provide the EU, UK, and Switzerland with updates on laws relevant to the DPF program.

In setting these revised DPF program fees, ITA determined that the services provided offer special benefits to an identifiable recipient beyond those that accrue to the general public. ITA calculated the actual cost of providing its services in order to provide a basis for setting each fee. This actual cost incorporates direct and indirect costs, including operations and maintenance, overhead, and charges for the use of capital facilities. ITA also took into account additional factors, including inflation, adequacy of cost recovery, affordability, and costs associated with alternative options available to U.S. organizations for the receipt of personal data from the EU, the UK, and Switzerland. Furthermore, ITA considered the cost-savings and efficiencies gained in staff hours through simultaneous review of self-certifications for the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. This analysis balanced these cost savings with projected expenses, including, but not limited to, website development, further negotiations with the EU, the UK, and Switzerland, periodic reviews, certification reviews, and facilitating complaint resolutions.

ITA will continue to use the established five-tiered fee schedule (see 82 FR 16375) that promoted participation of small organizations in the Privacy Shield program, while amending the fees at each tier to account for increased program administration costs. A multiple-tiered fee schedule allows ITA to offer organizations with lower revenue a lower fee. In setting the five tiers, ITA considered, in conjunction with the factors mentioned above: (1) the Small Business Administration's guidance on identifying small and medium enterprises (SMEs) in various industries most likely to participate in the DPF program, such as computer services, software and information services; (2) the likelihood that small companies would be expected to receive less personal data and thereby use fewer government resources; and (3) the likelihood that companies with higher revenue would have more customers whose data they process, which would use more government resources dedicated to administering and overseeing the DPF program. For example, if a company holds more data, it could reasonably produce more questions and complaints from consumers and European data protection authorities (DPAs). ITA has committed to facilitating the resolution of individual complaints and to communicating with the FTC and the DPAs regarding consumer complaints. Lastly, the fee increases between the tiers are based in part on projected program costs and estimated participation levels among companies within each tier.

As noted above, the revisions to the fee schedule recoups the costs to ITA for operating and maintaining the DPF program. ITA has taken into account the efficiencies and economies of scale experienced when organizations participate in multiple Frameworks by providing a 50 percent discount off adding another framework program and requiring organizations to synchronize their re-certifications. The added cost of joining an additional framework program reflects the additional expenses incurred, including, but not limited to, for communications with DPAs and website infrastructure and development, as well as the additional costs of cooperating and communicating separately with the EU, UK, and Swiss representatives and governments.

The fee applied to organizations that withdraw from relevant part(s) of the DPF program, but that maintain data, is meant to cover the programmatic costs associated with ITA's processing of such organizations' annual affirmation of commitment to continue to apply the Principles to the personal data they received while participating in the relevant part(s) of the DPF program. The flat fee is based on the expectation that government resources required to process this annual affirmation will be similar for all companies, regardless of size.

Based on the information provided above, ITA believes that the revised DPF program cost recovery fee schedule is consistent with the objective of OMB Circular A-25 to “promote efficient allocation of the nation's resources by establishing charges for special benefits provided to the recipient that are at least as great as the cost to the U.S. Government of providing the special benefits . . .” (OMB Circular A-25(5)(b)). ITA is providing the public with the opportunity to comment on the revisions to the fee schedule. ITA will then review all comments and publish the final fee schedule 30 days before the final fee schedule becomes effective. ITA administers and supervises the DPF program, including maintaining and making publicly available the Data Privacy Framework List, an authoritative list of U.S. organizations that have self-certified to the DOC and declared their commitment to adhere to the Principles pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF.

Paperwork Reduction Act

In accordance with the Paperwork Reduction Act of 1995 (PRA), ITA published proposed information collection as described in the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF for public notice and comment (88 FR 19067 and 88 FR 37509). The approved OMB Control Number for that information collection is 0625-0280 (expires 07/31/2026). That approval allows ITA to collect information from organizations in the United States, including information concerning their annual revenue, to enable such organizations to self-certify to the DOC. Such information collection is critical to ITA's administration and supervision of the DPF program, including its maintenance of the authoritative, public list of U.S. organizations that have self-certified to the DOC and declared their commitment to adhere to the Principles. The instant revisions to the DPF program cost recovery fee schedule do not impose any new information collection request (ICR) requirements or revise the current approved burden hours and administrative costs associated with the self-certification process under the approved OMB Control Number.